Malware Exfiltrating Credentials Via DNS

Researchers from Alert Logic have discovered and reported on a malware campaign using DNS queries to exfiltrate credentials. The credentials are obtained from a backdoored SSH client on a victim system.

When the client makes a connection to a remote server, the username, password, IP Address of the remote server, the local system’s MAC address and domains, are exfiltrated in three encoded strings in a DNS query to the attacker controlled name servers.

Alert Logic has provided code for decoding the first of the three strings sent in the DNS query.

Data exfiltration is any unauthorized movement of data. It can also be known as data exfil, data exportation, data extrusion, data leakage and data theft.